Cryptology is the science of secret writing and has been used for millennia to transmit information from one party to another without allowing intermediaries to learn the information. Cryptology includes cryptography, which is the encoding of information, and cryptanalysis, which is the decoding of the information. Often, people use cryptography to include both cryptography and cryptanalysis.
In cryptology, an original message, in plaintext, is desired to be sent from one party to another. The text is encrypted using an algorithm or cipher, and the result is called ciphertext.
Usually a key is used as part of the input to the algorithm, to vary the results of the algorithm and make the ciphertext more difficult to decipher, or turn back into plaintext. Symmetric encryption uses a single key to both encrypt the plaintext and decrypt the ciphertext. Asymmetric encryption uses two separate keys, one to encrypt, and one to decrypt. These two keys have a mathematical relationship that allows what is encrypted with one key to be decrypted only with the other key. Because of the nature of the mathematical relationship between the two keys, it takes longer to compute the encryption and decryption of information using asymmetric encryption.
Public key cryptography uses asymmetric encryption, where one key is made public, and the other is kept private. This is also referred to as a public/private key pair. A message sender may publish its public key, and anyone can use it to encrypt information. The sender will be the only one who can decrypt the information, using a private key. A second benefit to asymmetric encryption is that data can be encrypted with a private key, which anyone knowing the sender's public key can then decrypt, creating a digital signature that is unique. Digital signatures can also be referred to as digital certificates. Often, a third-party Certificate Authority (“CA”) is relied upon to authenticate a particular record. The system of using public and private keys and a CA is frequently referred to as the Public Key Infrastructure (“PKI”).
Another aspect of cryptology is the message-digest algorithm. A message-digest algorithm takes any amount of plaintext and produces a fixed-length ciphertext, which is referred to as the message digest, digest, or hash. A strong message-digest algorithm produces a unique digest for each input, such that if only one character of the plaintext changes the new digest is different.
The security of an algorithm used to encrypt information is based on whether or not it is considered possible to crack the ciphertext and find the plaintext. The larger the key used with the algorithm, the more secure the data.
Cryptanalysts traditionally break ciphers by finding patterns within the data or by learning the key. Having more examples of ciphertext created with the same key increases the chance of finding patterns within the resulting data. Most algorithms are published in order to undergo public scrutiny to see if there are any weaknesses that can be used to break the cipher.
A number of vulnerabilities exist to the Public Key Infrastructure. As described, for example, in an article by Carl Ellison (CEO of Counterpane Internet Security, Inc.) and Bruce Schneider (Senior Security Architect for Intel Corporation), “Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure,” a number of intransigent difficulties are associated with PKI.
Many current certification systems for electronic records depend upon a trusted third party, whose identity and public key can be verified by some alternate path and who systems, processes and procedures for issuing certificates must be trusted. Such trust may not, in some cases, be warranted. For example, a Certificate Authority may or may not be a trustworthy organization. Properly evaluating the credentials of an entity who is to issue certificates is difficult. There is also a risk in a CA-based system that the private signing key may not secure. The CA needs to identify an applicant before issuing a certificate, but the checks on the applicant to ensure the right person has been signed up to receive particular data may not be followed. Also, a certification for an individual with a particular name may not be trustworthy if there is more than one individual with the same name. In such a case, public keys and data may be misdirected. Further, it is difficult ensure that all of the computers with a particular transaction (and particularly the verifying computer) are secure.
Certificates and their key pairs last a relatively long period of time. If the certificates and key pairs are compromised, however, certificate revocation lists must be published to anyone who might get and rely upon the third-party's signature. Indeed, severe consequences may result if the certificate authority's key pair is compromised.
Reliable certification becomes even more important as increased reliance is placed upon E-commerce and more purchases are made using the internet. The more funds associated with E-commerce, the greater incentive there is for computer hackers to misdirect funds and the more dire the consequences are if the trusted third party certifying a particular set of data makes a mistake.
Accordingly, less reliance on trusted third parties in order to provide documentary assurance is generally preferred. There is a growing need for better assurance that a particular document (or set of data) has existed in an unaltered states as of a particular time.